On the last telecon, I was given a handful of editing tasks for CSP
1.0. I believe my CSP 1.0 editing queue is now empty.
1) This patch allows servers to send multiple Content-Security-Policy headers.
http://dvcs.w3.org/hg/content-security-policy/rev/f0931d0ab6eb
2) This patch removes the draconian error handling for including a
comma in a CSP policy. Combined with the previous patch, these
patches cause user agents to split the Content-Security-Policy on
comma before feeding it to the policy parser (thanks to a bit of ABNF
magic).
http://dvcs.w3.org/hg/content-security-policy/rev/92b2fc38ee2e
3) This patch changes the error handling behavior for parsing host
expressions in source lists. As discussed, we'll now ignore the stuff
after a "/" so that we can later introduce semantics for that syntax
(e.g., to restrict fetching resources by path as well).
http://dvcs.w3.org/hg/content-security-policy/rev/7e066a2ccb94
Thanks!
Adam